10 Cybersecurity Myths - Most Common Cybersecurity Questions

June 1, 2021

The Cyber Rants Podcast

Episode #30 - Beware of these Top 10 Cybersecurity Myths

Zach and Lauro discuss 10 common cybersecurity myths that are causing business leaders to make poor decisions and making companies an easy target for cyber criminals. They clear up these myths and share how you can be better informed if you hear something that doesn't sound quite right. Learn about the most common cybersecurity questions on this week’s episode.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com.
Be sure to rate the podcast, leave us a review, and subscribe!

welcome to the cyber rants podcast where we're all about sharing the forbidden secrets and slightly

embellished truths about corporate cyber security programs we're ranting we're raving and we're

telling you the stuff that nobody talks about on their fancy website and trade show giveaways

all to protect you from cyber criminals and now here's your hosts mike rotondo

zach fuller and lauro chavez hello and welcome to the cyber ants podcast this is your co-host

zach fuller and today i am joined by lauro chavez mike rotondo is out on vacation so lauro

before we dive into our topic of the day which is cyber security myths and dispelling those

why don't you kick us off with the news and the exploits all right yeah thanks mike hope you

enjoy your vacation um so for the headlines this week a couple interesting things bell

jim's interior ministry uncovers a two-year-long compromise of its network uh belgium's federal

public service interior has suffered a complex sophisticated and targeted cyber attack when

the microsoft released out-of-band security updates for exchange server in early march

uh fixed zero day vulnerabilities exploited uh basically they they fell in line um with

this particular place and and and uh it says here that the attack broke out in april of 2019 meaning

that they did not exploit the exchange flaws to get in so interestingly enough the complexity of

this attack indicates that an actor who has cyber capabilities and exhaustive resources

can perpetuate an active attack against the state a nation state federal service interior

so interesting there again i think we see that a lot where a lot of organizations are breached

and they're breached for a long time before they figure it out another one here u.s to

regulate pipelining cyber security the united states department of homeland security to issue

its first ever set of cyber security regulations for pipelines according to the washington post

news comes into the wake of the recent ransomware attack on the colonial pipeline that knocked

operation systems offline for five days triggering panic buying that led to fuel shortages in the

southeast so i think what's interesting is that that 4.4 million ransom that that was paid um

you know that the scada network itself wasn't compromised the pipeline um you know operates on

this was a a ransomware attack to the corporate network but it was the fear of the unknown that

caused the organization to turn the pipeline off so i i always think that's kind of interesting

that's a great myth and it ties in with today because i hear a lot of people that say

oh did you hear about the pipeline the hackers shut it down right yeah it's a greatness

just turned off their own button yep yep misspelled bust- this one's busted

yeah myth busted so so this is interesting too so this is this is basically titled ransomware unmask

and so a dispute reveals the ransomware ttps right and so so here's a group and an actor offering to

negotiate with victims that has shed light on the rise of ransomware consultants interesting

okay this revealed that the operational methods of ransomware hackers and what they use to get

organizations to pay so ransomware consultants research victims to gather intelligence

for realistic ransom demands and conduct the negotiations on behalf of the ransomware group

the core reason that ransomware groups are looking for these types of services is that

all they are they're proficient at gaining access to the victims and encrypting the data

they're less proficient at extracting ransom payments as criminal profits from ransomware

attacks grow to nearly 370 million in 2020 the ecosystem of accompanying services and actors

continues to undergo greater professionalization interesting right they're looking for ransomware

consultants like the negotiators on on you know what what what they'll negotiate with

the organization to get their data back weird you think it's like just you just go

to ransomware ransomwareconsultants.com and and put in your info and and hire somebody yeah yes

i pictured in the movies like you know two two people have to meet and they're kind of

in disguise right and they meet at a booth in a restaurant and it's always like uh it's always

like some diner that was built in the 60s or 70s in kind of a a little bit lower end part of town

that's how you meet your ransomware consultant that's how you meet him there yeah over

over some cabbage rolls or something you know anyway the new ponemon institute study reveals

cloud account compromises cost organizations over 6 million annually interesting so cloud account

compromises right and so proofpoint uh you know cyber security compliance company basically and

an iot research organization released the results of a new study on the cost of cloud compromise

and shadow i.t the average cost of account compromises reached 6.2 million over a 12-month

period according to over 600 it and i.t security professionals in the u.s in addition 68 of these

survey respondents believe cloud account takeovers present a significant security risk to their

organizations with more than half indicating the frequency and severity of cloud account

compromises has increased over the last 12 months so interesting so it illustrates essentially that

leaving saas security into the hands of end users or lines of business can be quite costly

so yeah if you if you can't secure your own prison stuff you certainly doesn't make you

qualified to secure your cloud account stuff so um you know super interesting that that's that's

coming up and it basically stated magnified is fewer than 40 percent of respondents that

organizations are diligent in conducting uh cloud app assessments before deployment

okay this is mainstream news if i were to repeat that right risks are also magnified as fewer than

40 of respondents say their organizations are vigilant and conducting cloud app assessments

before deployment you need to assess what you're doing before you deploy anywhere right i mean

there should be some sort of sign-on and last but not least iranian hacking group agrius pretends to

encrypt files for ransom but destroys them instead so the group and the combination of its own

um tool sets readily available for an offensive security software basically as a destructive

wiper or a custom wiper tuned ransomware variant as they're calling it basically

um but the ransomware group such as maze and conti doesn't appear that ags is purely motivated by

money instead they basically just like to destroy stuff so um this is you know really kind of

cyber destruction or cyber espionage but it's at its um finest so very very interesting here

and for exploits uh this week i guess i'll jump into that as well thanks mike

um a couple wordpress things i want to bring up uh if you're running uh plug-in cookie law bar make

sure that you've got that patched and if you're reading the ready rest uh restaurant reservation

plug-in uh there's a there's a sword cross-site scripting as part of that so so make sure you're

updating that as well and what i want to bring up that i haven't validated but sounds interesting is

that there are exploits listed for a coven 19 testing management system 1.0 so this is used

by hospitals and some of the the test facilities that set up the the testing management system for

coven 19 is a patient essentially database and accessing system and there are a couple things

there are cross-site scripting for admin and a blind sql injection with authentication bypass

which i think is is interesting so um for those out there in the health management organizations

if you're listening if you're using that covet 19 testing management system check what version

you're running 1.0 is vulnerable to a couple nasty things and that should certainly be upgraded

most most certainly and that's that's it for exploitation and the news this week

zach what are we talking about thanks lauro 1.0 is never a good version so update update update um

well well yeah a lot happening um it's interesting how many of our you know myths actually came out

in the news so let's just go through here and i actually have a list of 10 common myths that we

hear that just come up in discussion and nobody's fault right it's it's you know these are generally

from people that are outside the industry that are that are misinformed and uh make assumptions

about things that aren't entirely correct now the problem is making assumptions when it comes to

cyber security oftentimes is what gets people breach and so the first major assumption that

we hear a lot of organizations is that we're too small to be a target for cyber criminals

why would they come after us why would they uh look for us how would they even find us right

customers even have a hard time finding us how would a hacker find us the cyber criminal find

us but of course there's mass scanning and it's not like they're just after you

lauro your thoughts on that uh anybody when you've got humans that are bored at work probably and if

you know you're you're small enough to not have any web filtering controls who knows what your

your humans are doing on your computer systems and if you're touching the public fabric of the

internet just like you said you're gonna get scanned your services are gonna get scanned um

you know it's it's they're actively looking for low-hanging fruit and and so you know

typically these small organizations are prime pickings because they don't they're startups

or you know in whatever case they don't have a lot of the innate security controls they need

and they're just trying to get stuff out on the internet and get their you know get get things

running and their proof of concept and and so yeah certainly a big myth um you you will be

you will be identified eventually if you you're doing anything dns or public ip related period or

if you have humans that are surfing the internet and they don't have training something eventually

will will default you yep and that uh that means easy target well the next target number two it

kind of dovetails off that well we don't have anything a cyber criminal would want i've heard

i've heard um oh well we don't store credit card data or personally identifiable information

or protected health information right so we don't have anything a cyber criminal would want right

now you got compute you got money are you making money is the answer is yes and you're

using compute and the answer is yes then you're something a cyber criminal wants yeah if and if

you don't have money or compete then you're right you're actually right you don't have

anything to say you don't have anything if you have to make no money zero money or zero and

zero computers which um that's that's a rare type of business these days um but uh that's that's um

you're probably not not going to be a victim in that case everybody else everybody else has

a typewriter yeah if you've got a typewriter and a five and a quarter disc nobody wants you

there's probably somebody out there still after after whatever information you're in but

um or you're maybe if that's the case you're in a really crazy ultra classified business that's so

so secret that you have to go back to the old ways of doing things so the uh the old

intelligence community uh uh tactics so to speak but um what is that what is that substitution

ciphers on clay tablets is that what we're saying yeah there you go rot 13. um well yeah absolutely

you know that you never know i mean it could go back to microfilm and um and stuck in a bark chip

that's dropped off in a planter box you know somewhere and uh somebody else picks it up and

and yep that's that's how you're uh that's how you're communicating now because email's just not

not gonna cut it anymore if so if you're in that business kudos to you um awesome stuff

uh we have everybody else intelligence yeah um so that said and if you're in that business you got a

lot more to worry about um than cyber criminals like assassins and stuff so anyway i digress um

number three our it team is responsible for cyber security the oh the it team handles that

i'm sure they do yeah not the case well partially the case sometimes the case best case

um they've done a little bit right they've not deployed things

you know open-ended and you know put management consoles public facing and things like that um

but typically typically they're you know and i think we we talk about this a lot they're they're

busy doing day-to-day iot tasks and cyber security not only does it require a secondary skill set

um it requires secondary work and a lot of the the main your main itops individuals aren't going to

have that type that type of cycle to do right or to carry out so look hopefully there's there's

architecture involved and things have been put in mildly securely but i would wouldn't hold the

task to them if they have a amount of other work especially just have one it guy yeah or like like

you said i mean different tools different mindsets different um backgrounds i mean it cyber security

they're so they're cyber security and i t both are such vast industries vast subjects now nobody can

be an expert at everything so you can have you know brilliant brilliant i.t people we work with

a lot of companies that have just brilliant i.t people within their team but they also recognize

that hey this is where our our skill sets combined kind of stop um you know can you help us on the

cyber security side and then um it's also from an organizational governance perspective it's checks

and balances right does your you don't have your um bookkeeper performing your audits uh right so

why would your why would your i.t team do that for the the security technologies so yeah great point

excellent uh discussion you know and i think that's one that's it's we recognize as myth

but a lot of still organizations still live by that that just oh no the it team is just going

to take care of that stuff for us right and they they do play a critical role in security obviously

but there's uh there's certain limitations there but we're going to take a quick break

and come right back want even more cyber ants be sure to subscribe to the cyber rants podcast

get your copy of our best-selling book cyber rants on amazon today this podcast is brought

to you by silent sector the firm dedicated to building world-class cyber security programs

for mid-market and emerging companies across the us silent sector also provides industry-leading

penetration tests and cyber risk assessments visit silentsector.com and contact us today

all right and cyber security myth number four this goes right back to that the news article

you mentioned uh we are using cloud services so we're secure we're all set it's in the cloud it's

good microsoft's handling and google's handling it what are what are most of the breaches that

we investigate what do those have to do with i don't know for some reason it seems like

cloud environments i don't know cloud environments yeah so you know if if you're

uh it's i don't even want to i don't even want to do it i just i'm trying to talk can we just move

on to the next should we just be the next one okay so it's already talking about it cloud security

secure stuff in the cloud you know we're we're beating a dead horse here

we do hear smaller organizations um say that oh yeah we're in office 365 or all we use is you know

google g suite and dropbox and you know quickbooks is in the cloud and and that's those are and we

use slack you know and so oh we're secure we don't need a security program we got those things and

they just handle it but um that that could be a whole let's save that for a whole nother episode

sometimes yeah there's a lot to unpack there there's a lot to unpack especially when you're

migrating stuff to the cloud and i think real quickly before we move on we've assessed several

organizations that have had a pretty secure solid web app and then they've moved it to azure or

aws or something else and the code base you know has to have altercations which caught which have

caused some exploitable vulnerabilities that we were able to catch and they were able to fix but

that just goes to show you that you you can't just migrate things to the cloud right there's

there's a lot of things that change there's a lot of security services that need to be

um checked and and that configuration or over the the whole environment needs to be validated

absolutely well to be continued on cloud services uh there are tremendous advantages to them

but we need to have a whole episode or five on just that topic so this the fifth the fifth

cyber security myth and by the way these are in no particular order but uh all all of them come

up so the fifth is i'm smart i wouldn't fall for a phishing scam right there that wouldn't fool me

i fell for my own phishing scam you know send out an internal email that turns out to be a

phishing email and yeah you know that's brings up a good point i mean i remember

a client that we did a batch of fishing tests for uh during the ramp up of covid and they were

apparently i mean they look to the users like they were internal emails coming from

the president of the company dictating a policy and what was our what was our

open rate on that i think it was a hundred percent yeah i remember everybody

now i will say we made the email look very convincing but we had 100

100 clickability on that on that bait right there all the fish spot

on that one that's what cyber cyber criminals are doing now though they're they're looking

they're matching the signature blocks they're matching the names all that even spoofing domains

all of that i mean it can be tremendously difficult to catch some of these other others look

very very legitimate they'll do research uh they on on people and do more targeted spear phishing

attacks especially especially on security professionals i.t professionals executives

they'll spearfish and it's it's your your cousin that you haven't talked to

for a year but you've been you know really wanting to do that next vacation get together with their

family or whatever i mean it can they can get very sophisticated and their ingredients is getting a

lot better now with ai than you know database stuff right so they're they're actually they're

actually doing doing a good job now they're they're harder to decipher and you know the last

person that we heard say that they were too smart to click on an email cause me hundreds of hours of

my life and an investigation of the breach that was somebody clicked on a 100 amazon gift card

man it does happen it was worth a try right it only ended up costing the company millions but

a hundred bucks on amazon so everybody's i think none of us should say that we wouldn't fall for

it we could say that we're pretty confident in our abilities but that being said you never know

what's out there and there's other scams too think about this wishing uh elicitation of information

right it's like the whole human intelligence world right i mean there's people i guarantee you right

now nation state actors are getting people that live in the us hired in u.s companies where they

want to gain access so good goes much much deeper than fishing that's just the entry-level stuff but

it can get into a deep dark world when you when you really think about the extent of what goes on

especially in a government and uh government realm but also within the terrorism realm so yeah the

new training is going to be like how to know your co-worker is a mole yeah yeah exactly that's ah

that's excellent we should offer that do we offer counter intelligence courses for organizations

and everybody's watching out for each other you like working in an agency so the next number six

here is oh a third party provider is going to make sure we're secure right this i have

a cyber security company it's a managed security services provider mssp they're going to secure us

obviously we wouldn't bring that up if it wasn't a myth yeah absolutely i think that the services

need to be you know looked at it you know making assumptions that you know on a limited statement

of work that they're going to do everything for you and make you 100 as foolish to think and even

if they did to be consider yourself 100 um defense posture is still foolish to think yeah absolutely

and and there are a lot of limitations that right so mssps can certainly have a a place in

a security program but generally you have to think about the business structure right the business

structure is generally selling tools technologies and and getting those configured plugging them

in monitoring those remotely through a sock and such but that's not a defense in-depth uh

program right it's not a holistic cyber security program so there's a lot more to think about

in terms of the strategy the organization the governance the human element the culture right

um all these things have to go into place right so it's not just a matter of monitoring dashboards

remotely in your secure there's a lot more to it in any organization that tells you they're gonna

set you up and make you secure and and do it all on their own without your involvement or with with

minimal involvement i mean that's that's a bunch of bs right that just doesn't unfortunately that

just it can't be done it'd be nice right but it it just it takes both sides to truly build a defense

in-depth yeah scenario you wouldn't you wouldn't want that organization operating in a vacuum

on your behalf anyway you know what i mean they need to you know make sure that they operate as a

wing of the business right so exactly we we might even if we power through we might even get through

all 10 myths here and there are certain answers that these are top 10 but number seven we're

compliant with our regulations so we're good right we're secure compliance is not security uh wrong

not big big red flag right oh we're hipaa compliant we're fine oh we're pieces yeah to what

scope i always ask right what scope to what scope are you pci compliant is it the whole company or

did you want it to scope right or hipaa compliancy the same thing right did you is the whole company

every business asset hipaa compliant or did you limit the scope to just you know these specific

machines right i think that's that's a that's a tall giveaway right there when an organization is

limited scope for a security framework and then kind of use that as a as a as an excuse to be

secure like what do you mean scope we use stripe we're good we're secure you know there's a lot

more there yeah that's the thing to remember and for those people are seeing that don't

aren't involved in the compliance side remember compliance is generally focused on a specific

segment of your organization like pci or specific data set like hipaa right as protected health

information phi so that's what they're focused on even the your other requirements like ccpa

and such gdpr that's that's focused on your customer data right but it it doesn't care

so much about the rest of the organization all the things that are required to operate

that organization for it to function it's more generally more data driven whereas if you look at

a holistic security framework like a nist csf or cis controls or something like that then you're

looking at a a broader security posture for the whole organization and compliance will become a

lot easier if you're aligned to a broader security framework so number eight cyber security is com

confined to the digital environment right cyber security is just digital it's about

digital things which of course is not the case because you have to have physical protection to

protect those digital things and humans are using those digital things and are known to screw up

they are and i was funny one of the news uh articles that i i didn't bring forward this

morning was about uh usb drops being back on the rise which i think is an interesting thing but i i

had to weigh the interest for the other stuff too so but i figured i'd fit it into this part of the

myth but that was part of the news uh segment um from from the headlines that we got was that the

usb drops are back on the rise because humans are interested in what could be on there right

yeah that's that's the old trick to put put a a co-worker's name on it and write write private

or something like that and somebody else will pick it up you know drop it in the bathroom or whatever

and people pick it up and oh i'm going to snoop on on steve you know see what he's up to right

all you have to all you have to do is label it snapchat stills and then everybody will pick it up

yep and then the other thing too you got got to think about physical security right we do these

assessments where we go and look at the security program from a physical perspective right what

can i get to why walking in the office and a lot of times you know you can walk right into

network closets and get connectivity you can you know there's wireless right that that whole side

of the the uh the equation as well and ranges and such so you have to look at your your physical

defenses throughout the organization your awareness rights of social engineering uh

physical intrusion type testing that sort of thing so there's a lot more than just uh on

you know your antivirus on the computers that you know and kind of limiting it to that so of course

any listeners with background and stuff will know that but it's common myth that we need to

share uh with the the world that isn't educated in these things um number nine everything is hackable

so we're just going to take our chances right why bother why bother the cyber criminals i mean they

can they can breach solarwinds microsoft all that you know why why should we even even bother but

the reality is yes that's cur that's correct but the why bother part is because if you have a good

security program in place your damage is going to be limited and confined to a much smaller point

almost to the point where it's it's negligible to you know the point of no damage right plus

you owe it to you owe it to your country you owe it to your family you owe it to your employees

and to the you know the board of directors and the investors to you know do your best

job to you know secure your computing systems right as part of your business so i think it's

you know everybody's depending on you to do the right thing right so it's certainly not an excuse

absolutely yeah it's not just it's not just the the soldiers in other countries right

defending the us right that you know absolutely critical part but we all have our part here

within the u.s to do this to secure our systems our infrastructure right because that can't

be defended externally we we all have a i think a ethical moral obligation to do this so

do it anyway right even if you don't want to but finally number 10 how we see cyber security today

is how it's going to continue right you know and of course that's not the case right because

we have some big things coming up in quantum computing for instance that i think are going to

be game changers what do you think happened with with quantum computing and with what's going on

in in five minutes or less if five minutes or less i'll do it in just a minute because i think

this is a you know this is for a completely separate podcast but i think the breakthroughs

in quantum computing and you know if you've played with the ibm quantum experience you

i think you can understand the capability there with entanglement and superposition

and how that is going to translate to classic computing it's going to essentially turn us turn

this turn all this stuff into a dinosaur you know your your fancy brand new mac mini or whatever

might as well be an e-track tape at this point and so i think we're we're seeing the dawn of a new

competing an evolution in computing right and what that's going to mean for for cyber security is

going to change a lot i think the entire industry is going to change a lot but but what we know

um today is certainly changing rapidly and um as quick as we came into you know having

phones on our wrists right in the form of of the apple um apple watch and things like that um i

think we'll see quantum come into our lives a lot faster so i think a lot of this is going to change

yeah absolutely well it and there's not not to be fear monger or anything but

there's some things to consider right like our aes 256 encryption that we're you know

people are relying on now i mean that could go right out the window um and who knows how much

information is being encrypted information is being just harvested and held

now that potentially down the road be decrypted with a quantum computer very quickly well that

was the thing yeah no great great point you know we've spent the last you know half you know a

decade almost you know compiling massive databases right like hadoop's famous for this right but

massive just massive amounts of data because we you know we collected it we couldn't we couldn't

look at it at all we couldn't parse it all at the time but quantum is going to give us that ability

to give us that ability now to be able to to look through those those databases and and get data out

very quickly and very efficiently in ways that you know that we haven't been able to do that

before and you know like you said the encryption is going to have to change uh as well as lots of

other things you know i know everybody's got you know you know there's a cryptocurrency

um you know kind of world out there right where individuals have a lot of faith in blockchain

and when you look at how blockchain's developed on classic computing you'll need a version of

that for quantum if you expect to stay ahead of the game otherwise it's going to be on the same

8-track tape as everything else right yep your old your old uh your trust and current blockchain

be no more but uh interesting interesting stuff i mean that that opens up a whole whole other

can of worms definitely and there's going to be a lot of infrastructure upgrades i think in the

in our lifetimes um most definitely so something to consider something to watch out for but that

said hope you enjoyed this episode uh about cyber security myths and i hope we busted some of those

myths for you if if you actually had you know been following those or thought there was some truth

in them and then if not you keep these top of mind because realize that people still

still think this way so if you already knew all this outstanding but

share it with the world because it needs to get out there because there's still a lot of people

making very critical business decisions following these myths and that of course make some easy

targets for cyber criminals so lauro any final thoughts before we jump off here no none at all

zach it's been fun everybody enjoyed the show today all right we missed you mike

hope you're listening yeah we missed your vacation yeah i hope you enjoyed the show um by the way the

articles and such are being put on our website for the podcast so just go to cyberrantspodcast.com

and you can see the article titles and links and such to those and if you like the podcast

subscribe reach out let us know what you want us to talk about in future episodes and questions

you have and we are happy to address those but have a great day and we will see you next week

Episode #30 - Beware of these Top 10 Cybersecurity Myths

Send Us Your Questions & Rants!

Categories

Archives

Transcript